[wp-hackers] Admin Login Brute Force Attacks

Doug Stewart zamoose at gmail.com
Wed Mar 20 22:30:11 UTC 2013


Correct horse battery staple.


On Wed, Mar 20, 2013 at 6:21 PM, Ian Dunn <ian at iandunn.name> wrote:

> Do you mean they'll have no effect on preventing the login attempts, in
> the way that IP banning does? I'd agree with that, but I don't think that's
> the only way to have an effect.
>
> The reason I thought it was relevant was because a simple password like
> "ilovefluffy" would take a script a few hours/days to crack, while a
> WP-generated password like "'}?(x${G9oYRM.7" would take years/decades (via
> HTTP, but obviously much less if they had the db hash).
>
> I do think you make a good point about frustrating users, though, which
> can often have the unintended consequence of encouraging them to adopt
> insecure practices to make things more convenient for themselves (e.g.,
> writing the new password on a stickynote because it's too complex to
> memorize.). For computer-literate users, I think encouraging them to use a
> password manager might be a good idea, but that would be too complicated
> for some beginners.
>
>
>
> On 03/20/2013 02:44 PM, Chris Williams wrote:
>
>> Stricter password rules have virtually no effect on brute force attacks,
>> they simply infuriate legitimate users.
>>
>> On 3/20/13 1:29 PM, "Ian Dunn" <ian at iandunn.name> wrote:
>>
>>  #21737 will tighten password rules.
>>>
>> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>



-- 
-Doug


More information about the wp-hackers mailing list